v1.5.0 · Apache 2.0 · Open Source Research Artifact

Governed Security Hunting for the Agentic AI Era

Your SIEM has no baseline for a multi-agent tool call chain. Your EDR cannot see inside an LLM gateway. GSH is an open-source runtime security framework for AI agents and MCP systems: structured hunt playbooks, a policy-driven Sentinel engine, and detection logic for runaway agents, unauthorized tool calls, behavioral drift, DNS exfiltration, and poisoned MCP tools — every signal mapped to MITRE ATLAS and NIST CSF 2.0.

MITRE ATLAS mapped NIST CSF 2.0 aligned MITRE ATT&CK cross-referenced MCP aware
5
Hunt Playbooks
5
Core Components
10+
ATLAS Techniques
4
Reference Scripts
The Gap

Traditional threat hunting cannot keep pace with agentic threats

PEAK and TaHiTI were built for human adversaries moving at human speed. Agentic threats operate at inference speed, leave no file system artifacts, and attack the semantic content of a context window. Three structural gaps follow.

⚠️

Human-paced hunting cycles

Hypothesis-driven hunts run daily or weekly. A rogue agent exfiltrating context data through DNS encoding completes its mission in minutes, across thousands of queries, before any analyst forms a hypothesis.

👁️

Invisible attack surface

The attack surface is the context window itself: poisoned tool descriptions, adversarial retrievals, and injected instructions never touch disk and never appear in endpoint telemetry.

📊

No behavioral baselines

A retrieval agent making hundreds of DNS queries per minute is normal. The same volume to a newly registered domain with encoded subdomains is critical. Without agent-aware baselines, both look identical.

Architecture

The GSH Defense Loop

A continuous four-stage loop replaces periodic human-initiated hunts. Sovereign Sentinels are designed to run as persistent agents monitoring peer agents and enforcing behavioral boundaries at the tool invocation layer. The reference implementation runs this full loop today against synthetic telemetry — wiring stage 1 to a real LLM gateway or MCP event stream is the integration step before production enforcement.

DDI-AI Telemetry Collection

DNS, DHCP, and IPAM streams ingested per agent namespace. Shannon entropy, query length outliers, and beaconing regularity computed in real time.

Sovereign Sentinel Analysis

Persistent hunting agents apply playbook detection logic: tool call anomaly detection, semantic injection scoring, drift measurement, loop detection.

ZTLV Gate Enforcement

Every tool call is validated against the agent capability manifest before execution. Permit, throttle, or block, with full audit logging.

Adaptive Baseline Update

Findings, false positive resolutions, and exception grants feed back into the behavioral baseline, continuously refining detection thresholds.

stage 04 ↺ feeds back into stage 01 · continuous, autonomous, self-healing
Components

Five components, one governed hunting fabric

Each component is specified in the companion research paper (in preparation) and operationalized by the reference scripts and default Sentinel policy in the repository.

core agent

Sovereign Sentinel

A purpose-built AI hunting agent deployed alongside LLM gateways. Four modules: telemetry ingestion, behavioral analysis, ZTLV enforcement gate, and alert-and-response. Sentinels monitor each other for compromise, keeping the hunting fabric itself self-healing.

network layer

DDI-AI Fusion

Agent-namespace-aware baselining over DNS, DHCP, and IPAM telemetry. Separates the legitimate high-volume network activity of retrieval agents from adversarial covert channels.

enforcement

ZTLV Gate

Zero-Trust Logic Validation at the tool invocation layer. Declarative capability manifests define authorized tools, parameter ranges, and data namespaces per agent. Everything else is blocked.

detection

Behavioral Baseline Engine

Continuous model output drift detection using a standardized probe set, embedding drift scoring, and rolling per-agent baselines.

validation

Cognitive Red Teaming

Structured adversarial testing of the semantic attack surface: direct and indirect injection, backdoor trigger probing, and capability boundary testing.

Operational Suite

Five hunt playbooks, with working reference detection logic

Each playbook ships with a threat hypothesis, behavioral indicators, required data sources, detection logic with thresholds, a triage decision tree, and prioritized response actions.

HUNT-001High

Agentic Loop Detection

Detects non-terminating execution cycles: runaway token velocity, repeated identical tool calls, sub-agent spawning cascades, and memory re-read loops.

ATLAS AML.T0048, AML.T0040 · CSF DE.AE-02, DE.CM-01, RS.MI-01
HUNT-002Critical

DDI Tunneling Anomaly

Detects covert exfiltration and C2 over DNS, DHCP, and IPAM: high-entropy subdomains, NXDOMAIN spikes, TXT abuse, and machine-regular beaconing.

ATLAS AML.T0048, AML.T0051 · ATT&CK T1071.004, T1048, T1568
HUNT-003Critical

Model Poisoning & Behavioral Drift

Detects dataset poisoning, checkpoint supply chain compromise, and RAG poisoning through probe set evaluation and embedding drift scoring against a 30-day baseline.

ATLAS AML.T0020, AML.T0043, AML.T0044 · CSF ID.RA-01, DE.CM-06
HUNT-004Critical

Rogue Agent Detection

Detects agents operating outside their behavioral envelope: manifest violations, semantic injection pivots, and context-to-network exfiltration correlation, scored into a composite rogue index.

ATLAS AML.T0051, AML.T0053, AML.T0054 · CSF PR.PS-04, RS.AN-03
NEW IN v1.1
HUNT-005Critical

MCP Supply Chain & Tool Poisoning

Detects poisoned Model Context Protocol servers: tool description injection, post-approval definition rug pulls, tool shadowing, and invisible Unicode payloads. Uses approval-time schema hashing, continuous semantic scanning, and canary comparison to catch compromise of the tool supply chain itself.

ATLAS AML.T0010, AML.T0051, AML.T0053 · ATT&CK T1195 · CSF ID.SC-04, PR.PS-04, DE.CM-06
Framework Alignment

Threat coverage matrix

Every detection signal is mapped to industry taxonomies so findings drop straight into your existing reporting and compliance workflows.

ThreatMITRE ATLASMITRE ATT&CKNIST CSF 2.0
Agentic Loop / Resource ExhaustionAML.T0048 AML.T0040DE.AE-02 DE.CM-01 RS.MI-01
DDI Covert Channel ExfiltrationAML.T0048 AML.T0051T1071.004 T1048 T1568DE.CM-01 DE.AE-04 PR.DS-01
ML Model Poisoning / Behavioral DriftAML.T0020 AML.T0043 AML.T0044ID.RA-01 DE.AE-02 DE.CM-06
Rogue Agent / Unauthorized Tool UseAML.T0051 AML.T0053 AML.T0054PR.PS-04 DE.CM-01 RS.AN-03
MCP Supply Chain / Tool PoisoningAML.T0010 AML.T0051 AML.T0053T1195ID.SC-04 PR.PS-04 DE.CM-06
Deployment

From clone to enforcement in four phases

Start passive, build a behavioral baseline, then graduate to full ZTLV enforcement. The default policy ships sane thresholds you tune to your environment.

1

Passive baseline (days 1 to 7)

Deploy Sentinels in passive mode; collect telemetry, allowlist known false positive patterns.

2

Alert-only (days 8 to 14)

Activate alerting; review false positive rate; refine thresholds and capability manifests.

3

Enforcement (day 15+)

Enable ZTLV standard mode with automated quarantine and throttling responses.

4

Continuous validation

Quarterly Cognitive Red Team exercises; update probe sets, baselines, and playbook coverage.

# clone and install
git clone https://github.com/sunilgentyala/gsh-framework.git
cd gsh-framework && pip install -r requirements.txt

# deploy a Sovereign Sentinel in passive mode
python scripts/gsh-sentinel-deploy.py \
  --target "llm-gateway-01" \
  --mode passive \
  --playbooks "hunt-001,hunt-002,hunt-003,hunt-004,hunt-005" \
  --policy configs/sentinel-policy-default.yaml \
  --baseline-window 7d

# snapshot MCP tool definitions (Hunt-005)
python scripts/gsh-probe-eval.py --mode mcp-snapshot \
  --server "corp-tools-mcp-01"

Hunt-001 through Hunt-004 (gsh-sentinel-deploy.py) run against a synthetic telemetry generator by default (logged as SIMULATION MODE at startup) so the detection logic is visible immediately; point them at a real LLM gateway event stream before using them for live enforcement. Hunt-005 is different: gsh-mcp-proxy.py is a real MCP JSON-RPC stdio proxy that intercepts actual tool definitions and tool calls and can permit, alert, or block them — see the README for the full command.

Research

Citation

GSH is an open-source research artifact. A companion research paper is in preparation. If you use GSH in your research, please cite:

@misc{gentyala2026gsh,
  author       = {Gentyala, Sunil},
  title        = {The Governed Security Hunting (GSH): An Autonomous Agentic
                  Framework for Defending the Cognitive Cyber Domain},
  year         = {2026},
  howpublished = {Open Source Research Artifact, GitHub},
  url          = {https://github.com/sunilgentyala/gsh-framework}
}